Following Massive Breach, Capital One Replacing CISO: Report

Nearly four months after Capital One revealed massive data breach, Michael Johnson, the bank's CISO, is being moved into an outside advisory role, and the company is scouting for a new security leader, according to the Wall Street Journal.

Bank employees were told Thursday that Johnson would leave the CISO position, which he had held since 2017, the newspaper reports. As Capital One prepares to find a new security leader, Mike Eason, the CIO of the company's commercial bank operation, will take over on an interim basis, according to the Journal.

Following the announcement of the breach, almost a dozen of the cybersecurity professionals employed at the bank quit due to differences with Johnson, the Wall Street Journal reports, citing interviews with employees who asked to remain anonymous. The employees reportedly had raised concerns about the company's failure to install certain software to help spot and defend against hacks, the newspaper reports.

Capital One did not respond to a request for comment on Friday.

On Friday, Johnson's LinkedIn profile still listed him as Capital One's CISO. In addition, Easton's LinkIn profile still listed him as CIO of the commercial banking division. And while Easton has extensive experience in IT and technology, his profile does not list any specific cybersecurity experience.

Massive Breach

The shakeup in Capital One's security division comes after the company confirmed in August that a hacker stole data from the bank for 100 million U.S. individuals as well as 6 million Canadians (see: Capital One: Where Did the Bank Fail on Defense?).

In July, Paige A. Thompson was charged with hacking into the Capital One network and accessing the bank's data. Federal prosecutors also believe she used similar techniques to access data from over 30 other organizations over several months, and they say she could face additional charges. Earlier this week, Thompson was released from federal custody until her trial, slated to being early next year (see: Alleged Capital One Hacker Released From Prison).

Sometime between March and July, Thompson allegedly took advantage of a misconfigured firewall within Capital's One network and then gained access to several years' worth of credit card data stored within the company's cloud storage system, according to the federal indictment.

To bypass security within the organizations she targeted, Thompson allegedly created tools to scan servers hosted by a cloud computing company, according to the indictment. She looked for misconfigured web application firewalls that would allow her to send commands from outside the networks to access the data stored within the networks, prosecutors allege.

Although the cloud provider involved is not specified the indictment, Capital One has previously stated that it uses Amazon Web Services for its cloud infrastructure and that it also uses the company's Simple Cloud Storage Service, or Amazon S3, to store its data. Thompson briefly worked at AWS, according to news reports.

Security Scapegoats

After major breaches, the loss of public trust can lead to the end of careers for powerful executives, says Charles King, president and analyst at Pund-IT, an independent IT consulting firm based in Hayward, California.

"While CEOs and other C-level executives sometimes appear to have few restraints on their personal behavior, most are required to follow a handful of simple rules: Don't damage the company, embarrass the board of directors, injure shareholders or anger customers," King tells Information Security Media Group. "Being victimized by cybercriminals seeking valuable consumer data ticks all of these boxes, so it's not unusual for the senior executives responsible to pay the ultimate job-related price."

Other CISOs and security heads that have been ousted following a breach include Uber's CSO Joe Sullivan and his deputy, Craig Clark, who allegedly covered up a breach in 2017 that exposed the personal information of 57 million (see: Fast and Furious Data Breach Scandal Overtakes Uber).

And sometimes it goes even further up the corporate ladder. In 2014, the CEO of Target, Gregg Steinhafel, resigned following a breach that affected as many as 70 million of the retailer's customers, costing the company about $1 billion in clean-up costs and lawsuits.

About the Author

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.